Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

lambda function cannot invoke step function using LabRole on AWS academy

0

I'm using AWS academy which I am not allowed to create IAM role, what I can use is only the LabRole.

I am trying to use lambda function to invoke my step function using StartExecution, but it didn't work. I got the error below from CloudWatch. However, it should work on LabRole.

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the StartExecution operation: User: arn:aws:sts::051823271855:assumed-role/LabRole/my-s3-function is not authorized to access this resource Traceback (most recent call last):   File "/var/task/lambda_function.py", line 20, in lambda_handler     input = json.dumps(input))   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)

Themen
ServerlosAnwendungsintegrationKalkulation
Tags
AWS Step FunctionsAWS LambdaAWS Academy
Sprache
English
Wendy
gefragt vor einem Jahr312 Aufrufe
1 Antwort
0

Hi Wendy,

Are you able to attach a custom policy to the Lab role as described here? https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html (Modifying a role permissions policy (console)).

Then you can select step function start execution and associate it with a resource arn.

Hope it helps ;)

profile picture
EXPERTE
Antonio_Lagrotteria
beantwortet vor einem Jahr
  • Wendy
    vor einem Jahr

    I tried this before, but I can't attach role policy. The error was: Errors attaching policies to the role. Policy AWSStepFunctionsConsoleFullAccess not added. User: arn:aws:sts::051823271855:assumed-role/voclabs/user**** is not authorized to perform: iam:AttachRolePolicy on resource: role LabRole because no identity-based policy allows the iam:AttachRolePolicy action

    Thank you so much for your help!

  • Antonio_Lagrotteria EXPERTE
    vor einem Jahr

    Strange. I d try to add iam:AttachRolePolicy to your user. Most likely will fail because the lab is maybe too restrictive. Do you have an option to restart the lab (destroy and redo)?

  • Wendy
    vor einem Jahr

    I can restart the lab but it didn't help. I found the LabRole of my TA is the same as mine. Do you have any suggestions about connect S3 with step function? I tried EventBridge before, but it also didn't work because of the LabRole.

  • Antonio_Lagrotteria EXPERTE
    vor einem Jahr

    But did you manage to execute the step function from lambda?

    Is the s3 question related to this problem or is another one. You would need to elaborate it a bit either here or in a new question depending on it

  • Wendy
    vor einem Jahr

    Yes, I used stepFunction.start_execution( stateMachineArn='arn:aws:states:XXXXXXXXXXXXXXXX:stateMachine:my-state-machine',...) from my lambda.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt